我正在为我的应用程序使用Firebase身份验证,并使用它使用JWT令牌将用户身份验证到后端API。在API后端,我配置了JWT-secret,这是从以下URL中提取的非对称密钥:
https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com
一切正常。最近,我需要创建一个云函数,该函数还需要调用API后端。为此,我正在使用该功能来创建位于以下位置的自定义令牌:
https://firebase.google.com/docs/auth/admin/create-custom-tokens
这会创建具有正确自定义声明的令牌
let additionalClaims = {
'x-hasura-default-role': 'admin','x-hasura-allowed-roles': ['user','admin']
}
admin.auth().createCustomToken(userId,additionalClaims).then(function (customToken) {
console.log(customToken);
response.end(JSON.stringify({
token: customToken
}))
})
.catch(function (error) {
console.log('Error creating custom token:',error);
});
但是,当我尝试对后端API使用它时,出现“ JWTInvalidSignature”错误。在我的云功能中,我指定了Firebase项目中的服务帐户,但似乎无济于事。当我查看已解码的两个令牌时,它们肯定会来自不同的服务。
CustomToken
{
"aud":
"https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit","iat": 1573164629,"exp": 1573168229,"iss": "firebase-adminsdk-r2942@postgrest-b4c8c.iam.gserviceaccount.com","sub": "firebase-adminsdk-r2942@postgrest-b4c8c.iam.gserviceaccount.com","uid": "mikeuserid","claims": {
"x-hasura-default-role": "admin","x-hasura-allowed-roles": [
"user","admin"
]
}
}
FireBase Auth中的令牌
{
"role": "webuser","schema": "customer1","userid": "15","claims": {
"x-hasura-default-role": "user","x-hasura-allowed-roles": [
"user","admin"
],"x-hasura-user-id": "OS2T2rdkM5UlhfWLHEjNExZ71lq1","x-hasura-dbuserid": "15"
},"iss": "https://securetoken.google.com/postgrest-b4c8c","aud": "postgrest-b4c8c","auth_time": 1573155319,"user_id": "OS2T2rdkM5UlhfWLHEjNExZ71lq1","sub": "OS2T2rdkM5UlhfWLHEjNExZ71lq1","email": "johnny1@gmail.com","email_verified": false,"firebase": {
"identities": {
"email": [
"johnny1@gmail.com"
]
},"sign_in_provider": "password"
}
}
如何获取此customToken以与已配置的现有JWT秘密密钥一起使用??